ed6587ce7a7193c998f98deac51bccbbeb1a0dc996c1ee0aa360bef719445ab4

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 14:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3517beb5ced98d822cd9396dead47832_JaffaCakes118.exe
Size

8KB
MD5

3517beb5ced98d822cd9396dead47832
SHA1

1c6164798e5523017908bb32d20945bcf637e3a8
SHA256

ed6587ce7a7193c998f98deac51bccbbeb1a0dc996c1ee0aa360bef719445ab4
SHA512

8ef5e2c79b0382c82fe1b20ad9609459662a4acc04a79c784f53ac66bc33c90035b714b6cf34db11418a540114361847fb28a912f1a3570a26f442f73afd1e8b
SSDEEP

192:wBVjzv4ebxE8Hei08pDMbFUOcWFaNJhLkwcud2DH9VwGfctlnO:wBVf4ebxrc8ASOcCaNJawcudoD7Ui

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	3517beb5ced98d822cd9396dead47832_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 1 IoCs

pid	Process
3236	b2e.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1244-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/memory/1244-11-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	12368	dwm.exe
Token: SeChangeNotifyPrivilege	12368	dwm.exe
Token: 33	12368	dwm.exe
Token: SeIncBasePriorityPrivilege	12368	dwm.exe
Token: SeShutdownPrivilege	12368	dwm.exe
Token: SeCreatePagefilePrivilege	12368	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 3236	1244	3517beb5ced98d822cd9396dead47832_JaffaCakes118.exe	85
PID 1244 wrote to memory of 3236	1244	3517beb5ced98d822cd9396dead47832_JaffaCakes118.exe	85
PID 1244 wrote to memory of 3236	1244	3517beb5ced98d822cd9396dead47832_JaffaCakes118.exe	85
PID 3236 wrote to memory of 1608	3236	b2e.exe	86
PID 3236 wrote to memory of 1608	3236	b2e.exe	86
PID 3236 wrote to memory of 1608	3236	b2e.exe	86
PID 1608 wrote to memory of 4732	1608	cmd.exe	89
PID 1608 wrote to memory of 4732	1608	cmd.exe	89
PID 1608 wrote to memory of 4732	1608	cmd.exe	89
PID 1608 wrote to memory of 4824	1608	cmd.exe	90
PID 1608 wrote to memory of 4824	1608	cmd.exe	90
PID 1608 wrote to memory of 4824	1608	cmd.exe	90
PID 1608 wrote to memory of 5020	1608	cmd.exe	93
PID 1608 wrote to memory of 5020	1608	cmd.exe	93
PID 1608 wrote to memory of 5020	1608	cmd.exe	93
PID 1608 wrote to memory of 4852	1608	cmd.exe	95
PID 1608 wrote to memory of 4852	1608	cmd.exe	95
PID 1608 wrote to memory of 4852	1608	cmd.exe	95
PID 1608 wrote to memory of 1548	1608	cmd.exe	96
PID 1608 wrote to memory of 1548	1608	cmd.exe	96
PID 1608 wrote to memory of 1548	1608	cmd.exe	96
PID 1608 wrote to memory of 2876	1608	cmd.exe	97
PID 1608 wrote to memory of 2876	1608	cmd.exe	97
PID 1608 wrote to memory of 2876	1608	cmd.exe	97
PID 1608 wrote to memory of 1556	1608	cmd.exe	99
PID 1608 wrote to memory of 1556	1608	cmd.exe	99
PID 1608 wrote to memory of 1556	1608	cmd.exe	99
PID 1608 wrote to memory of 4292	1608	cmd.exe	100
PID 1608 wrote to memory of 4292	1608	cmd.exe	100
PID 1608 wrote to memory of 4292	1608	cmd.exe	100
PID 1608 wrote to memory of 3628	1608	cmd.exe	102
PID 1608 wrote to memory of 3628	1608	cmd.exe	102
PID 1608 wrote to memory of 3628	1608	cmd.exe	102
PID 1608 wrote to memory of 4408	1608	cmd.exe	103
PID 1608 wrote to memory of 4408	1608	cmd.exe	103
PID 1608 wrote to memory of 4408	1608	cmd.exe	103
PID 1608 wrote to memory of 1472	1608	cmd.exe	106
PID 1608 wrote to memory of 1472	1608	cmd.exe	106
PID 1608 wrote to memory of 1472	1608	cmd.exe	106
PID 1608 wrote to memory of 1192	1608	cmd.exe	111
PID 1608 wrote to memory of 1192	1608	cmd.exe	111
PID 1608 wrote to memory of 1192	1608	cmd.exe	111
PID 1608 wrote to memory of 2296	1608	cmd.exe	112
PID 1608 wrote to memory of 2296	1608	cmd.exe	112
PID 1608 wrote to memory of 2296	1608	cmd.exe	112
PID 1608 wrote to memory of 4804	1608	cmd.exe	113
PID 1608 wrote to memory of 4804	1608	cmd.exe	113
PID 1608 wrote to memory of 4804	1608	cmd.exe	113
PID 1608 wrote to memory of 688	1608	cmd.exe	114
PID 1608 wrote to memory of 688	1608	cmd.exe	114
PID 1608 wrote to memory of 688	1608	cmd.exe	114
PID 1608 wrote to memory of 2032	1608	cmd.exe	116
PID 1608 wrote to memory of 2032	1608	cmd.exe	116
PID 1608 wrote to memory of 2032	1608	cmd.exe	116
PID 1608 wrote to memory of 4956	1608	cmd.exe	118
PID 1608 wrote to memory of 4956	1608	cmd.exe	118
PID 1608 wrote to memory of 4956	1608	cmd.exe	118
PID 1608 wrote to memory of 1632	1608	cmd.exe	121
PID 1608 wrote to memory of 1632	1608	cmd.exe	121
PID 1608 wrote to memory of 1632	1608	cmd.exe	121
PID 1608 wrote to memory of 620	1608	cmd.exe	123
PID 1608 wrote to memory of 620	1608	cmd.exe	123
PID 1608 wrote to memory of 620	1608	cmd.exe	123
PID 1608 wrote to memory of 3984	1608	cmd.exe	124

C:\Users\Admin\AppData\Local\Temp\3517beb5ced98d822cd9396dead47832_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3517beb5ced98d822cd9396dead47832_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Users\Admin\AppData\Local\Temp\9FBA.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\9FBA.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\9FBA.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\3517beb5ced98d822cd9396dead47832_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A1CE.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1608
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:4732
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:4824
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:5020
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:4852
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:1548
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:2876
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:1556
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:4292
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:3628
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:4408
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:1472
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:1192
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:2296
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:4804
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:688
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:2032
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:4956
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:1632
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:620
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:3984
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:3508
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:1920
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:1864
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:4960
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:4696
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:1440
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:1924
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:3260
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:3584
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:2600
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:4772
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:2736
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:5100
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:4840
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:1988
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:1424
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:4700
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:756
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:4736
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:1448
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:2532
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:1680
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:4356
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:4868
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:3132
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:4228
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:5192
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:5392
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:5420
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:5436
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:5464
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:5488
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:5616
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:5632
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:5640
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:5656
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:5668
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:5692
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:5700
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:5708
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:5732
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:5740
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:5752
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:5764
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:5772
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:5796
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:5824
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:5832
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:5844
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:5864
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:5880
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:5888
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:5900
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:5940
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:5964
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:5980
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:6000
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:6012
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:6036
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:6056
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:6080
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:6100
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:6128
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:3164
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:5628
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:5728
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:6152
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:6168
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:6192
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:6228
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:6256
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:6280
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:6296
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:6316
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:6352
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:6376
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:6404
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:6428
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:6452
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:6480
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:6496
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:6516
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:6540
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:6564
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:6580
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:6608
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:6636
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:6652
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:6684
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:6700
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:6708
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:6724
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:6748
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:6776
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:6804
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:6816
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:6840
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:6856
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:6876
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:6892
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:6908
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:8016
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:8460
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:8476
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:8484
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:8496
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:8508
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:8536
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:8552
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:8568
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:8584
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:8616
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:8636
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:8660
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:8676
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:8700
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:8720
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:8740
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:9176
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:9196
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:8472
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:8688
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:8648
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:8604
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:8804
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:8780
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:8736
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:7380
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:9236
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:9252
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:9284
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:9296
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:9320
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:9384
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:9812
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:9828
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:9836
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:9844
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:9856
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:9884
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:9900
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:9908
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:9916
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:9924
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:9932
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:9940
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:9948
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:9956
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:9964
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:9976
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:9984
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:9992
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:10000
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:10008
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:10016
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:10032
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:10040
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:10060
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:10084
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:10104
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:10144
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:10168
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:10972
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:10984
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:11000
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:11008
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:11016
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:11024
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:11032
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:11040
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:11048
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:11072
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:11096
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:11128
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:11136
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:11144
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:11152
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:11160
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:11168
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:11176
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:11296
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:11700
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:11716
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:11724
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:11812
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:11828
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:11836
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:11852
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:11868
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:11884
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:11896
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:11916
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:12172
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:12248
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:12256
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:12264
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      PID:11240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\selfdel0.bat" "
    3⤵
    PID:11880

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:12368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9FBA.tmp\b2e.exe

Filesize
8KB

MD5
4c0c73a87af0fcdd48dcf47a93b2967e

SHA1
99b97dccee682019ca2551f5839b0ffa802abb4b

SHA256
fc742d7d77fee3bc03951d827303710b0279022b9454b80df03abbf46fdb2e71

SHA512
e8fdd8d36080f029b79ace532c444edb356d3543143843341c6db5b7ca1dc9d6dca7928ce4642e6d78a46c7ebc5af0877db5a0c7da2147e3bb0a2d2e5049f581

Download Submit
C:\Users\Admin\AppData\Local\Temp\A1CE.tmp\batchfile.bat

Filesize
17B

MD5
d66750ca42f2f5a26bba0b4f186ac432

SHA1
253ad9503f175d226180fee563219534aabd21a8

SHA256
20d5ca842e7e7fd88da295c49f6e2e799b9782a51a41325b1613a565a4403f21

SHA512
855ca063b8b0548f0d394e272fc7708123a8c062b4a915cd91ad305865e8259de4ec9968e484ab5f1f967933e8415216b41f85516652409667aa114831c2d25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\selfdel0.bat

Filesize
158B

MD5
d1ab78c948c6be1f28156ddc58888c86

SHA1
f5fe870f1fe558b4f2bede00beb495b00d2d4458

SHA256
b4c99f5f314993dc092f0e3a5de10e0ea5501bb6876a8154631f6e8e9a525397

SHA512
3a959243538704280c32fc8f04bca750dc94e60246606cefac975bc818a5193ebf3684f36b39faa4814d0b2ba67c34343ece0b992c84050390d4a4acfe48e2f8

Download Submit
memory/1244-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1244-11-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3236-12-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3236-19-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads