b8a6780d631933813dc8f4439d761acf686e4369e615e264a5298ec555b400ad

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09/07/2024, 12:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe
Size

649KB
MD5

3057c53c96a70509e952b12edf398b1e
SHA1

27c272b38249106e2287cfa5ac8ad8b8108196cd
SHA256

b8a6780d631933813dc8f4439d761acf686e4369e615e264a5298ec555b400ad
SHA512

62bf7ec7e6e75910e6aeb8bb4c7e3c7072f5544ac78ace3e22c5f1301da06652df369b9508f669efa99b60115795a8f59b33ed2d77e6c51e6db9ea65244a663b
SSDEEP

12288:zq20BpltdyUDZX2wh5vA/OSXhVt0rYTGApYIQONYA4gT9CBqwN4IQ:QBTtdyO2wh5I1TPG3ISA4CwN

Score

8^/10

evasion persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2632	netsh.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wTask = "C:\\Windows\\Media\\LTaskup.exe"	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\lnk_dados_2.dll	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe
File created	C:\Windows\Media\LTaskup.exe	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

Kills process with taskkill 43 IoCs

evasion

pid	Process
2684	taskkill.exe
1968	taskkill.exe
2180	taskkill.exe
2792	taskkill.exe
2500	taskkill.exe
864	taskkill.exe
3004	taskkill.exe
2336	taskkill.exe
3472	taskkill.exe
2752	taskkill.exe
2564	taskkill.exe
2672	taskkill.exe
572	taskkill.exe
2728	taskkill.exe
2936	taskkill.exe
2852	taskkill.exe
2992	taskkill.exe
940	taskkill.exe
1868	taskkill.exe
1468	taskkill.exe
2220	taskkill.exe
2924	taskkill.exe
2576	taskkill.exe
3040	taskkill.exe
1620	taskkill.exe
2520	taskkill.exe
2088	taskkill.exe
800	taskkill.exe
2660	taskkill.exe
2768	taskkill.exe
1744	taskkill.exe
2740	taskkill.exe
2084	taskkill.exe
2292	taskkill.exe
2224	taskkill.exe
2600	taskkill.exe
1072	taskkill.exe
2540	taskkill.exe
1936	taskkill.exe
1820	taskkill.exe
3708	taskkill.exe
2616	taskkill.exe
2896	taskkill.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	2660	taskkill.exe
Token: SeDebugPrivilege	2768	taskkill.exe
Token: SeDebugPrivilege	2924	taskkill.exe
Token: SeDebugPrivilege	2684	taskkill.exe
Token: SeDebugPrivilege	2752	taskkill.exe
Token: SeDebugPrivilege	2792	taskkill.exe
Token: SeDebugPrivilege	2896	taskkill.exe
Token: SeDebugPrivilege	1072	taskkill.exe
Token: SeDebugPrivilege	2500	taskkill.exe
Token: SeDebugPrivilege	2936	taskkill.exe
Token: SeDebugPrivilege	940	taskkill.exe
Token: SeDebugPrivilege	3040	taskkill.exe
Token: SeDebugPrivilege	2540	taskkill.exe
Token: SeDebugPrivilege	2224	taskkill.exe
Token: SeDebugPrivilege	1468	taskkill.exe
Token: SeDebugPrivilege	2740	taskkill.exe
Token: SeDebugPrivilege	2564	taskkill.exe
Token: SeDebugPrivilege	2220	taskkill.exe
Token: SeDebugPrivilege	864	taskkill.exe
Token: SeDebugPrivilege	1936	taskkill.exe
Token: SeDebugPrivilege	1868	taskkill.exe
Token: SeDebugPrivilege	2728	taskkill.exe
Token: SeDebugPrivilege	1968	taskkill.exe
Token: SeDebugPrivilege	2616	taskkill.exe
Token: SeDebugPrivilege	2600	taskkill.exe
Token: SeDebugPrivilege	572	taskkill.exe
Token: SeDebugPrivilege	2992	taskkill.exe
Token: SeDebugPrivilege	1620	taskkill.exe
Token: SeDebugPrivilege	2852	taskkill.exe
Token: SeDebugPrivilege	3004	taskkill.exe
Token: SeDebugPrivilege	2520	taskkill.exe
Token: SeDebugPrivilege	2672	taskkill.exe
Token: SeDebugPrivilege	2180	taskkill.exe
Token: SeDebugPrivilege	2292	taskkill.exe
Token: SeDebugPrivilege	2084	taskkill.exe
Token: SeDebugPrivilege	2336	taskkill.exe
Token: SeDebugPrivilege	1820	taskkill.exe
Token: SeDebugPrivilege	800	taskkill.exe
Token: SeDebugPrivilege	2576	taskkill.exe
Token: SeDebugPrivilege	1744	taskkill.exe
Token: SeDebugPrivilege	2088	taskkill.exe
Token: SeDebugPrivilege	3708	taskkill.exe
Token: SeDebugPrivilege	3472	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 2632	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	30
PID 2596 wrote to memory of 2632	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	30
PID 2596 wrote to memory of 2632	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	30
PID 2596 wrote to memory of 2632	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	30
PID 2596 wrote to memory of 2660	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	31
PID 2596 wrote to memory of 2660	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	31
PID 2596 wrote to memory of 2660	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	31
PID 2596 wrote to memory of 2660	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	31
PID 2596 wrote to memory of 2768	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	33
PID 2596 wrote to memory of 2768	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	33
PID 2596 wrote to memory of 2768	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	33
PID 2596 wrote to memory of 2768	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	33
PID 2596 wrote to memory of 2752	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	35
PID 2596 wrote to memory of 2752	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	35
PID 2596 wrote to memory of 2752	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	35
PID 2596 wrote to memory of 2752	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	35
PID 2596 wrote to memory of 2936	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	36
PID 2596 wrote to memory of 2936	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	36
PID 2596 wrote to memory of 2936	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	36
PID 2596 wrote to memory of 2936	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	36
PID 2596 wrote to memory of 2924	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	37
PID 2596 wrote to memory of 2924	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	37
PID 2596 wrote to memory of 2924	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	37
PID 2596 wrote to memory of 2924	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	37
PID 2596 wrote to memory of 2792	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	39
PID 2596 wrote to memory of 2792	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	39
PID 2596 wrote to memory of 2792	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	39
PID 2596 wrote to memory of 2792	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	39
PID 2596 wrote to memory of 1072	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	40
PID 2596 wrote to memory of 1072	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	40
PID 2596 wrote to memory of 1072	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	40
PID 2596 wrote to memory of 1072	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	40
PID 2596 wrote to memory of 2684	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	41
PID 2596 wrote to memory of 2684	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	41
PID 2596 wrote to memory of 2684	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	41
PID 2596 wrote to memory of 2684	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	41
PID 2596 wrote to memory of 2540	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	44
PID 2596 wrote to memory of 2540	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	44
PID 2596 wrote to memory of 2540	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	44
PID 2596 wrote to memory of 2540	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	44
PID 2596 wrote to memory of 2896	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	46
PID 2596 wrote to memory of 2896	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	46
PID 2596 wrote to memory of 2896	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	46
PID 2596 wrote to memory of 2896	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	46
PID 2596 wrote to memory of 2852	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	47
PID 2596 wrote to memory of 2852	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	47
PID 2596 wrote to memory of 2852	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	47
PID 2596 wrote to memory of 2852	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	47
PID 2596 wrote to memory of 2672	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	51
PID 2596 wrote to memory of 2672	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	51
PID 2596 wrote to memory of 2672	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	51
PID 2596 wrote to memory of 2672	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	51
PID 2596 wrote to memory of 2616	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	52
PID 2596 wrote to memory of 2616	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	52
PID 2596 wrote to memory of 2616	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	52
PID 2596 wrote to memory of 2616	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	52
PID 2596 wrote to memory of 2500	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	54
PID 2596 wrote to memory of 2500	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	54
PID 2596 wrote to memory of 2500	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	54
PID 2596 wrote to memory of 2500	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	54
PID 2596 wrote to memory of 2576	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	57
PID 2596 wrote to memory of 2576	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	57
PID 2596 wrote to memory of 2576	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	57
PID 2596 wrote to memory of 2576	2596	3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe	57

C:\Users\Admin\AppData\Local\Temp\3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3057c53c96a70509e952b12edf398b1e_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram C:\Windows\Media\LTaskup.exe RPC
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:2632
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im nod32kui.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2660
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im KAVPF.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2768
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Kav.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcdash.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2936
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Mcdetect.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2924
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcregwiz.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2792
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McTskshd.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1072
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcupdmgr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2684
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcupdui.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2540
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im MpfAgent.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2896
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im MpfConsole.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2852
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im MpfService.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2672
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im MpfTray.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2616
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im MpfWizard.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2500
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mvtx.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2576
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcappins.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2992
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcinfo.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3040
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mghtml.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1620
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcinsupd.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3004
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcmnhdlr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2520
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McShield.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:940
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McVSEscn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:864
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsftsn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1820
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsmap.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1936
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im naiavfin.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:572
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im oasclnt.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2600
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im gcasServ.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2224
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im zlclient.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2220
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im avgemc.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1868
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im avgupsvc.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2292
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im avgamsvr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2740
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im avgcc.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1468
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ashdisp.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2564
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ashmaisv.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2728
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ashserv.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1968
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ashwebsv.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2336
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im aswupdsv.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1744
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ccsetmgr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:800
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im cccproxy.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2088
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ccapp.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2180
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ccevtmgr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2084
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im nod32krn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3472
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im nod32kui.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2596-0-0x0000000013140000-0x00000000132A7000-memory.dmp

Filesize
1.4MB

Download
memory/2596-1-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2596-2-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2596-5-0x0000000013140000-0x00000000132A7000-memory.dmp

Filesize
1.4MB

Download
memory/2596-7-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2596-8-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2596-9-0x0000000013140000-0x00000000132A7000-memory.dmp

Filesize
1.4MB

Download
memory/2596-11-0x0000000013140000-0x00000000132A7000-memory.dmp

Filesize
1.4MB

Download
memory/2596-12-0x0000000013140000-0x00000000132A7000-memory.dmp

Filesize
1.4MB

Download
memory/2596-13-0x0000000013140000-0x00000000132A7000-memory.dmp

Filesize
1.4MB

Download
memory/2596-14-0x0000000013140000-0x00000000132A7000-memory.dmp

Filesize
1.4MB

Download
memory/2596-15-0x0000000013140000-0x00000000132A7000-memory.dmp

Filesize
1.4MB

Download
memory/2596-16-0x0000000013140000-0x00000000132A7000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads