metasploit | 356902ac1b2532a0f938728162a76e293ade1c89e0915319c7d4cf09b8ec3031

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

339cb8e57b78b295b7fca6bd0e4944bd_JaffaCakes118.exe
Size

213KB
MD5

339cb8e57b78b295b7fca6bd0e4944bd
SHA1

6c7942db591c43d7a6238169e886abb958e51e01
SHA256

356902ac1b2532a0f938728162a76e293ade1c89e0915319c7d4cf09b8ec3031
SHA512

60d383ba5409d3a29c3264e45d0d2f7426343526acf8464d7e51162015b3fdf8f57a095f1ccaca4b847884d6fb79a71f4be5964e554cb3832a2bcbe94d24ea76
SSDEEP

6144:hlqtXlhQ8ZK0lAswvP6bQ7yMP+DE827YYscL:hlogQKXd6b7MP+Dd2UYZL

Score

10^/10

metasploit backdoor evasion trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Modifies security service 2 TTPs 22 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe

Executes dropped EXE 10 IoCs

pid	Process
1608	WinzAPI32.exe
1152	WinzAPI32.exe
4388	WinzAPI32.exe
4628	WinzAPI32.exe
688	WinzAPI32.exe
1484	WinzAPI32.exe
2596	WinzAPI32.exe
4488	WinzAPI32.exe
2644	WinzAPI32.exe
2740	WinzAPI32.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\WinzAPI32.exe	WinzAPI32.exe
File created	C:\Windows\SysWOW64\WinzAPI32.exe	WinzAPI32.exe
File created	C:\Windows\SysWOW64\WinzAPI32.exe	WinzAPI32.exe
File created	C:\Windows\SysWOW64\WinzAPI32.exe	WinzAPI32.exe
File opened for modification	C:\Windows\SysWOW64\WinzAPI32.exe	WinzAPI32.exe
File opened for modification	C:\Windows\SysWOW64\WinzAPI32.exe	WinzAPI32.exe
File opened for modification	C:\Windows\SysWOW64\WinzAPI32.exe	WinzAPI32.exe
File created	C:\Windows\SysWOW64\WinzAPI32.exe	WinzAPI32.exe
File opened for modification	C:\Windows\SysWOW64\WinzAPI32.exe	WinzAPI32.exe
File created	C:\Windows\SysWOW64\WinzAPI32.exe	WinzAPI32.exe
File created	C:\Windows\SysWOW64\WinzAPI32.exe	WinzAPI32.exe
File opened for modification	C:\Windows\SysWOW64\WinzAPI32.exe	WinzAPI32.exe
File created	C:\Windows\SysWOW64\WinzAPI32.exe	WinzAPI32.exe
File opened for modification	C:\Windows\SysWOW64\WinzAPI32.exe	WinzAPI32.exe
File opened for modification	C:\Windows\SysWOW64\WinzAPI32.exe	WinzAPI32.exe
File created	C:\Windows\SysWOW64\WinzAPI32.exe	WinzAPI32.exe
File opened for modification	C:\Windows\SysWOW64\WinzAPI32.exe	WinzAPI32.exe
File created	C:\Windows\SysWOW64\WinzAPI32.exe	WinzAPI32.exe
File opened for modification	C:\Windows\SysWOW64\WinzAPI32.exe	WinzAPI32.exe
File created	C:\Windows\SysWOW64\WinzAPI32.exe	WinzAPI32.exe
File created	C:\Windows\SysWOW64\WinzAPI32.exe	339cb8e57b78b295b7fca6bd0e4944bd_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WinzAPI32.exe	339cb8e57b78b295b7fca6bd0e4944bd_JaffaCakes118.exe

Modifies registry class 33 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	339cb8e57b78b295b7fca6bd0e4944bd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	339cb8e57b78b295b7fca6bd0e4944bd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	WinzAPI32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	WinzAPI32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	WinzAPI32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	WinzAPI32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	WinzAPI32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	WinzAPI32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	WinzAPI32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	WinzAPI32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	WinzAPI32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	WinzAPI32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	WinzAPI32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	WinzAPI32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	WinzAPI32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	WinzAPI32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	WinzAPI32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	WinzAPI32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	WinzAPI32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	WinzAPI32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	WinzAPI32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	WinzAPI32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	WinzAPI32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	WinzAPI32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	WinzAPI32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	WinzAPI32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	339cb8e57b78b295b7fca6bd0e4944bd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	WinzAPI32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	WinzAPI32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	WinzAPI32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	WinzAPI32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	WinzAPI32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	WinzAPI32.exe

Runs .reg file with regedit 11 IoCs

pid	Process
3772	regedit.exe
3660	regedit.exe
3772	regedit.exe
3716	regedit.exe
592	regedit.exe
1352	regedit.exe
4160	regedit.exe
1256	regedit.exe
1120	regedit.exe
924	regedit.exe
4964	regedit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4348 wrote to memory of 1568	4348	339cb8e57b78b295b7fca6bd0e4944bd_JaffaCakes118.exe	81
PID 4348 wrote to memory of 1568	4348	339cb8e57b78b295b7fca6bd0e4944bd_JaffaCakes118.exe	81
PID 4348 wrote to memory of 1568	4348	339cb8e57b78b295b7fca6bd0e4944bd_JaffaCakes118.exe	81
PID 1568 wrote to memory of 1352	1568	cmd.exe	82
PID 1568 wrote to memory of 1352	1568	cmd.exe	82
PID 1568 wrote to memory of 1352	1568	cmd.exe	82
PID 4348 wrote to memory of 1608	4348	339cb8e57b78b295b7fca6bd0e4944bd_JaffaCakes118.exe	84
PID 4348 wrote to memory of 1608	4348	339cb8e57b78b295b7fca6bd0e4944bd_JaffaCakes118.exe	84
PID 4348 wrote to memory of 1608	4348	339cb8e57b78b295b7fca6bd0e4944bd_JaffaCakes118.exe	84
PID 1608 wrote to memory of 4616	1608	WinzAPI32.exe	85
PID 1608 wrote to memory of 4616	1608	WinzAPI32.exe	85
PID 1608 wrote to memory of 4616	1608	WinzAPI32.exe	85
PID 4616 wrote to memory of 4160	4616	cmd.exe	86
PID 4616 wrote to memory of 4160	4616	cmd.exe	86
PID 4616 wrote to memory of 4160	4616	cmd.exe	86
PID 1608 wrote to memory of 1152	1608	WinzAPI32.exe	89
PID 1608 wrote to memory of 1152	1608	WinzAPI32.exe	89
PID 1608 wrote to memory of 1152	1608	WinzAPI32.exe	89
PID 1152 wrote to memory of 2260	1152	WinzAPI32.exe	90
PID 1152 wrote to memory of 2260	1152	WinzAPI32.exe	90
PID 1152 wrote to memory of 2260	1152	WinzAPI32.exe	90
PID 2260 wrote to memory of 1256	2260	cmd.exe	91
PID 2260 wrote to memory of 1256	2260	cmd.exe	91
PID 2260 wrote to memory of 1256	2260	cmd.exe	91
PID 1152 wrote to memory of 4388	1152	WinzAPI32.exe	92
PID 1152 wrote to memory of 4388	1152	WinzAPI32.exe	92
PID 1152 wrote to memory of 4388	1152	WinzAPI32.exe	92
PID 4388 wrote to memory of 4408	4388	WinzAPI32.exe	93
PID 4388 wrote to memory of 4408	4388	WinzAPI32.exe	93
PID 4388 wrote to memory of 4408	4388	WinzAPI32.exe	93
PID 4408 wrote to memory of 1120	4408	cmd.exe	94
PID 4408 wrote to memory of 1120	4408	cmd.exe	94
PID 4408 wrote to memory of 1120	4408	cmd.exe	94
PID 4388 wrote to memory of 4628	4388	WinzAPI32.exe	96
PID 4388 wrote to memory of 4628	4388	WinzAPI32.exe	96
PID 4388 wrote to memory of 4628	4388	WinzAPI32.exe	96
PID 4628 wrote to memory of 1992	4628	WinzAPI32.exe	97
PID 4628 wrote to memory of 1992	4628	WinzAPI32.exe	97
PID 4628 wrote to memory of 1992	4628	WinzAPI32.exe	97
PID 1992 wrote to memory of 3772	1992	cmd.exe	98
PID 1992 wrote to memory of 3772	1992	cmd.exe	98
PID 1992 wrote to memory of 3772	1992	cmd.exe	98
PID 4628 wrote to memory of 688	4628	WinzAPI32.exe	99
PID 4628 wrote to memory of 688	4628	WinzAPI32.exe	99
PID 4628 wrote to memory of 688	4628	WinzAPI32.exe	99
PID 688 wrote to memory of 4436	688	WinzAPI32.exe	100
PID 688 wrote to memory of 4436	688	WinzAPI32.exe	100
PID 688 wrote to memory of 4436	688	WinzAPI32.exe	100
PID 4436 wrote to memory of 924	4436	cmd.exe	101
PID 4436 wrote to memory of 924	4436	cmd.exe	101
PID 4436 wrote to memory of 924	4436	cmd.exe	101
PID 688 wrote to memory of 1484	688	WinzAPI32.exe	102
PID 688 wrote to memory of 1484	688	WinzAPI32.exe	102
PID 688 wrote to memory of 1484	688	WinzAPI32.exe	102
PID 1484 wrote to memory of 3240	1484	WinzAPI32.exe	103
PID 1484 wrote to memory of 3240	1484	WinzAPI32.exe	103
PID 1484 wrote to memory of 3240	1484	WinzAPI32.exe	103
PID 3240 wrote to memory of 4964	3240	cmd.exe	104
PID 3240 wrote to memory of 4964	3240	cmd.exe	104
PID 3240 wrote to memory of 4964	3240	cmd.exe	104
PID 1484 wrote to memory of 2596	1484	WinzAPI32.exe	105
PID 1484 wrote to memory of 2596	1484	WinzAPI32.exe	105
PID 1484 wrote to memory of 2596	1484	WinzAPI32.exe	105
PID 2596 wrote to memory of 3592	2596	WinzAPI32.exe	106

C:\Users\Admin\AppData\Local\Temp\339cb8e57b78b295b7fca6bd0e4944bd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\339cb8e57b78b295b7fca6bd0e4944bd_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4348
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\a.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Windows\SysWOW64\regedit.exe
    REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
    3⤵
    - Modifies security service
    - Runs .reg file with regedit
    PID:1352
- C:\Windows\SysWOW64\WinzAPI32.exe
  C:\Windows\system32\WinzAPI32.exe 1172 "C:\Users\Admin\AppData\Local\Temp\339cb8e57b78b295b7fca6bd0e4944bd_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\a.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4616
  - - C:\Windows\SysWOW64\regedit.exe
      REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
      4⤵
      Modifies security service
      Runs .reg file with regedit
      PID:4160
- - C:\Windows\SysWOW64\WinzAPI32.exe
    C:\Windows\system32\WinzAPI32.exe 940 "C:\Windows\SysWOW64\WinzAPI32.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1152
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\a.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2260
    - - C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        5⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:1256
  - - C:\Windows\SysWOW64\WinzAPI32.exe
      C:\Windows\system32\WinzAPI32.exe 1144 "C:\Windows\SysWOW64\WinzAPI32.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4388
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4408
      - C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        6⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:1120
    - - C:\Windows\SysWOW64\WinzAPI32.exe
        
        C:\Windows\system32\WinzAPI32.exe 1152 "C:\Windows\SysWOW64\WinzAPI32.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4628
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        7⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:3772
      - C:\Windows\SysWOW64\WinzAPI32.exe
        
        C:\Windows\system32\WinzAPI32.exe 1156 "C:\Windows\SysWOW64\WinzAPI32.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        8⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:924
        
        C:\Windows\SysWOW64\WinzAPI32.exe
        
        C:\Windows\system32\WinzAPI32.exe 1148 "C:\Windows\SysWOW64\WinzAPI32.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        9⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:4964
        
        C:\Windows\SysWOW64\WinzAPI32.exe
        
        C:\Windows\system32\WinzAPI32.exe 1168 "C:\Windows\SysWOW64\WinzAPI32.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        9⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        10⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:3716
        
        C:\Windows\SysWOW64\WinzAPI32.exe
        
        C:\Windows\system32\WinzAPI32.exe 1164 "C:\Windows\SysWOW64\WinzAPI32.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        10⤵
        
        PID:880
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        11⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:3660
        
        C:\Windows\SysWOW64\WinzAPI32.exe
        
        C:\Windows\system32\WinzAPI32.exe 1160 "C:\Windows\SysWOW64\WinzAPI32.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        11⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        12⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:592
        
        C:\Windows\SysWOW64\WinzAPI32.exe
        
        C:\Windows\system32\WinzAPI32.exe 1180 "C:\Windows\SysWOW64\WinzAPI32.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        12⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        13⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:3772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
9e5db93bd3302c217b15561d8f1e299d

SHA1
95a5579b336d16213909beda75589fd0a2091f30

SHA256
f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

SHA512
b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
294976e85ad11a45853f99c1b208723f

SHA1
8d83101d69420b5af97ec517165d849d3ab498fc

SHA256
04fe02d621f3d9853840b27476da4a191fc91592a77632f9cf85d4ef0370acff

SHA512
e8193036e0e411afe75c1e23f9ce1a7f32d1297706cdd0d99c20375dd7a2bdfb23cc550015852f36816668f0d085042afe74fcfff294f90854ea70f3b929a9d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
e78a2688839aaee80b2bfdc4639329c5

SHA1
818a0dd05493b075a9f2eaf063e64d5a653f470a

SHA256
bd056b778b99213f8eb81f452e96f275da92f129457fae23da4e2986cf465a5d

SHA512
2821f753aa03221061be778aa9d5cffaee58fc0e1e712d8021894d91d963a3859e06afd6bd94ca6e23386e513d0be092e7b2e6a53439e14e4cbc75f5ccd97847

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
784B

MD5
5a466127fedf6dbcd99adc917bd74581

SHA1
a2e60b101c8789b59360d95a64ec07d0723c4d38

SHA256
8cd3b8dd28ac014cf973d9ab4b03af1c274bbc9b5ee0ee4ab8af0bdb01573b84

SHA512
695cafc932bc8f0a514bc515860cb275297665de63ca3394b55f42c457761ebf654d29d504674681a77b34e3356a469e8c5b97ff7efc24de330d5375f025cba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
501effddf60a974e98b67dc8921aa7e8

SHA1
734dfe4b508dbc1527ec92e91821a1251aec5b2e

SHA256
672e3c47827c2fc929fc92cd7d2a61d9ba41e847f876a1e5486e2701cbc3cb06

SHA512
28081046c5b0eb6a5578134e19af2a447d38afda338bd3ae4c2fc0054460580d47f9ab6d8c9001ff605e76df462e7bbcab80be15deaf3ca6264e20717dfb9c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
752fd85212d47da8f0adc29004a573b2

SHA1
fa8fe3ff766601db46412879dc13dbec8d055965

SHA256
9faa69e9dabfb4beb40790bf12d0ae2ac0a879fb045e38c03b9e4d0ab569636e

SHA512
d7bbadb2ed764717dc01b012832e5c1debd6615bbdc121b5954e61d6364a03b2dd03718bdea26c5c2a6dbb6e33c5a7657c76862f6d8c0a916f7a0f9f8dd3b209

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
f1cbbc2ce0d93c45a92edcc86780e9f0

SHA1
d893306caae2584cdeba4c80c3bfe18548fa227a

SHA256
6646122747280612f7cb0e88c16544e472aae7c20217b711bbee8f10562e49c7

SHA512
b4ba834ab846d1dc9bbeca52e54705cdbf010687a5c1c54a82fddc15c64025528ef874213a59d1be5fb7ada7abd0862235a0c924f10819fbbfb36bd2ba29adf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
f31b2aa720a1c523c1e36a40ef21ee0d

SHA1
9c8089896c55e6e6a9cca99b1b98c544723d314e

SHA256
cea90761ea6ef6fb8ac98484b5720392534a9774e884c3e343ae29559aa0a716

SHA512
a679ce1192e15cd9b8dd4a3d7ecf85707ec23fa944c020b226172497c0b5600460558cfa9304ddf2c582a95e0fcd7f1b26004c8fba0ed9afcddc6ded770c85bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
f82bc8865c1f6bf7125563479421f95c

SHA1
65c25d7af3ab1f29ef2ef1fdc67378ac9c82098d

SHA256
f9799dc2afb8128d1925b69fdef1d641f312ed41254dd5f4ac543cf50648a2f6

SHA512
00a9b7798a630779dc30296c3d0fed2589e7e86d6941f4502ea301c5bce2e80a5d8a4916e36183c7064f968b539ae6dac49094b1de3643a1a2fedc83cf558825

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
895301bce84d6fe707b5cfd50f1f9f97

SHA1
50a012f59655621768f624c4571654145663c042

SHA256
b2c6435e83784b85e7f4bdd4568bd954029caac9f5795e3111ae75db0f9874d4

SHA512
a75188afa7c01959bcbf7b832d92d0134072eecd3dd58d6179bc626024d4c9593cadc5cf9ab00deb3824853df003a0a73c84b60cefbdcb6944d216534ea7ffc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
c1e5f93e2bee9ca33872764d8889de23

SHA1
167f65adfc34a0e47cb7de92cc5958ee8905796a

SHA256
8f5276e847b1c6beb572b1eeae20f98784aae11ea2d8f8860adcdb78fd9dca3a

SHA512
482741b0df7bf6e94ba9667892fe12125df30812e21de40fd60dee540922da70ffb6db4a0c0e17346e714d4bb6e49e2d4eca53c0d5194cd888903071c82b8859

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
d8be0d42e512d922804552250f01eb90

SHA1
cda2fd8fc9c4cdf15d5e2f07a4c633e21d11c9d3

SHA256
901619f668fe541b53d809cd550460f579985c3d2f3d899a557997e778eb1d82

SHA512
f53619e1ec3c9abc833f9fca1174529fb4a4723b64f7560059cd3147d74ea8fe945a7bd0034f6fb68c0e61b6782a26908d30a749a256e019031b5a6ac088eb97

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
5855edf3afa67e11de78af0389880d18

SHA1
c43fcd36d70a6ffcd41fbb48c1d0c406fd00286f

SHA256
c7798759a159989611cdf47f702c8813ad0f029b52f18af573f383859a8bfaaa

SHA512
5be99a55f86486c04bda0a089571c296d041dae337321578c0f8d19d7bd2e51802aafbc8716753b6191b8e5ced782a5bc7d44bdd4995ab8e6ac1f7cd4b0f91ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
815B

MD5
fadf3805f68986d2ee9c82f560a564e4

SHA1
87bcab6ab1fb66ace98eb1d36e54eb9c11628aa6

SHA256
d6e4760c4554b061363e89648dc4144f8a9ba8a300dde1a1621f22ecc62ab759

SHA512
e3e495385da6d181a2411554a61b27c480ff31fa49225e8b2dc46b9ec4f618343475a8d189786b956c91efc65bfb05be19065bfdf3288eb011c5ec427e764cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
849B

MD5
558ce6da965ba1758d112b22e15aa5a2

SHA1
a365542609e4d1dc46be62928b08612fcabe2ede

SHA256
c11beaac10a5e00391ef4b41be8c240f59c5a2dc930aead6d7db237fcd2641fb

SHA512
37f7f10c3d201b11cc5224ae69c5990eb33b4430c601d3c21f6bec9323621120442e0cfa49e1f4eda459ea4ac750277e446dca78b9e44c1445bd891e4e460b5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
61ec72543aaac5c7b336d2b22f919c07

SHA1
5bddb1f73b24c2113e9bf8268640f75fb0f3bd8d

SHA256
088881ff28ef1240847decd884be366614865bf9660f862dbffa64d504467aea

SHA512
e8ed6c1813218a542e0449f6bcda47b9464f2445a5d4b20e20b657d5328eb9fd5ddf859e61794a0b3d32057590ac029064c078d5743fe1a316ca8fdf254f7f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
574B

MD5
5020988c301a6bf0c54a293ddf64837c

SHA1
5b65e689a2988b9a739d53565b2a847f20d70f09

SHA256
a123ebc1fac86713cdd7c4a511e022783a581ea02ba65ea18360555706ae5f2d

SHA512
921a07597f8c82c65c675f5b09a2552c7e2e8c65c8df59eebbe9aff0bfe439ad93f5efc97ba521be31299323051d61ead6a3f0be27302dc0f728b7a844fb2fcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
2299014e9ce921b7045e958d39d83e74

SHA1
26ed64f84417eb05d1d9d48441342ca1363084da

SHA256
ee2b1a70a028c6d66757d68a847b4631fc722c1e9bfc2ce714b5202f43ec6b57

SHA512
0a1922752065a6ab7614ca8a12d5d235dfb088d3759b831de51124894adae79637713d7dee2eb87668fa85e37f3ba00d85a727a7ba3a6301fbf1d47f80c6a08f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
1b2949b211ab497b739b1daf37cd4101

SHA1
12cad1063d28129ddd89e80acc2940f8dfbbaab3

SHA256
3e906a8373d1dfa40782f56710768abd4365933ad60f2ca9e974743c25b4cb6c

SHA512
a9e6555d435fe3e7a63059f20cd4c59531319421efcd90ca1d14498c28d9882ab0b7cd1af63dd50fa693b3b5a714db572d61867c56b86618423c7feaf043f2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
f708dcfd087b5b3763678cfb8d63735e

SHA1
a38fa7fa516c1402762425176ff1b607db36c752

SHA256
abf4c5f7dbed40d58dc982256535a56128f86d5eaf163d634037ae2b61027a10

SHA512
fa0e84032b88e19fc67c5be846983cf89c8ba021351a0aa9cab0162ea27a3933dade0b78146b2230b0c57f218b18da52a5ce1d04b6f9746b21e4285e2540049c

Download Submit
C:\Windows\SysWOW64\WinzAPI32.exe

Filesize
213KB

MD5
339cb8e57b78b295b7fca6bd0e4944bd

SHA1
6c7942db591c43d7a6238169e886abb958e51e01

SHA256
356902ac1b2532a0f938728162a76e293ade1c89e0915319c7d4cf09b8ec3031

SHA512
60d383ba5409d3a29c3264e45d0d2f7426343526acf8464d7e51162015b3fdf8f57a095f1ccaca4b847884d6fb79a71f4be5964e554cb3832a2bcbe94d24ea76

Download Submit
\??\c:\a.bat

Filesize
5KB

MD5
0019a0451cc6b9659762c3e274bc04fb

SHA1
5259e256cc0908f2846e532161b989f1295f479b

SHA256
ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

SHA512
314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

Download Submit
memory/688-699-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download
memory/1152-360-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download
memory/1484-813-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download
memory/1484-701-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download
memory/1608-134-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/1608-359-0x00000000005C0000-0x00000000005F0000-memory.dmp

Filesize
192KB

Download
memory/1608-127-0x00000000005C0000-0x00000000005F0000-memory.dmp

Filesize
192KB

Download
memory/1608-130-0x0000000000590000-0x0000000000595000-memory.dmp

Filesize
20KB

Download
memory/1608-126-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download
memory/1608-131-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/1608-132-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/1608-133-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/1608-246-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download
memory/2596-815-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download
memory/2596-927-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download
memory/2644-1153-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download
memory/2740-1266-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download
memory/4348-0-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download
memory/4348-5-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/4348-6-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/4348-7-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/4348-243-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download
memory/4348-8-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/4348-1-0x00000000009C0000-0x00000000009F0000-memory.dmp

Filesize
192KB

Download
memory/4348-9-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/4348-10-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/4348-244-0x00000000009C0000-0x00000000009F0000-memory.dmp

Filesize
192KB

Download
memory/4348-2-0x00000000022A0000-0x00000000022A3000-memory.dmp

Filesize
12KB

Download
memory/4348-4-0x0000000002290000-0x0000000002295000-memory.dmp

Filesize
20KB

Download
memory/4388-473-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download
memory/4488-1040-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download
memory/4628-586-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads