Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
23/07/2024, 07:50 UTC
Behavioral task
behavioral1
Sample
66b9ae16c073bbb3ab2389e72318cf1b_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
15 signatures
150 seconds
Behavioral task
behavioral2
Sample
66b9ae16c073bbb3ab2389e72318cf1b_JaffaCakes118.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
15 signatures
150 seconds
General
-
Target
66b9ae16c073bbb3ab2389e72318cf1b_JaffaCakes118.exe
-
Size
68KB
-
MD5
66b9ae16c073bbb3ab2389e72318cf1b
-
SHA1
e50ceab851ed8a4a4bcaaa0f3a53cedcd8bc8485
-
SHA256
b092c0173e46fe385eb002a0faf1bfb6432194ded5de8d3ca99ff9ec19fbca8a
-
SHA512
cb9344e01e782000314689dbcee5dbd55da0ee70e274590831101f4ce4a7498f36d23dfe4be0b50eb7f09d64e9d7a3aba3c105596830dda917c82cf1938431af
-
SSDEEP
768:PTxrUL23qmT5o7B51+6TS+MoRoOUf5cx8zf6t/5HNk3AEoOvx1Q3i5nR09QzTGfc:15oln+NoRoOUfGft/fAAEoObwQ0g
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctorRtp.exe explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctorMain.exe\Debugger = "ntsd -d" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFWSvc.exe explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRepair.com explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guangd.exe\Debugger = "ntsd -d" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qsetup.exe\Debugger = "ntsd -d" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe\Debugger = "ntsd -d" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxPol.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRepair.com\Debugger = "ntsd -d" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pagefile.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe\Debugger = "ntsd -d" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe\Debugger = "ntsd -d" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.exe\Debugger = "ntsd -d" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~.exe\Debugger = "ntsd -d" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Wsyscheck.exe\Debugger = "ntsd -d" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zjb.exe\Debugger = "ntsd -d" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArSwp3.exe\Debugger = "ntsd -d" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvReport.kxp\Debugger = "ntsd -d" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe\Debugger = "ntsd -d" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe\Debugger = "ntsd -d" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP_1.kxp explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPfwSvc.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FYFireWall.exe\Debugger = "ntsd -d" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe\Debugger = "ntsd -d" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsTray.exe\Debugger = "ntsd -d" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPF.exe\Debugger = "ntsd -d" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPfwSvc.exe\Debugger = "ntsd -d" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe\Debugger = "ntsd -d" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pfserver.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe\Debugger = "ntsd -d" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsstat.exe explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArSwp3.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe\Debugger = "ntsd -d" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logogo.exe\Debugger = "ntsd -d" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sxgame.exe explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe\Debugger = "ntsd -d" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webscanx.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe\Debugger = "ntsd -d" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FTCleanerShell.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe\Debugger = "ntsd -d" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe\Debugger = "ntsd -d" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ghost.exe\Debugger = "ntsd -d" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rp.exe explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVScan.kxp explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USBCleaner.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jisu.exe\Debugger = "ntsd -d" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe\Debugger = "ntsd -d" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe\Debugger = "ntsd -d" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp\Debugger = "ntsd -d" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe\Debugger = "ntsd -d" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe explorer.exe -
Drops startup file 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1681.lnk explorer.exe -
Executes dropped EXE 1 IoCs
pid Process 1708 explorer.exe -
Loads dropped DLL 3 IoCs
pid Process 2416 66b9ae16c073bbb3ab2389e72318cf1b_JaffaCakes118.exe 2416 66b9ae16c073bbb3ab2389e72318cf1b_JaffaCakes118.exe 1708 explorer.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" explorer.exe -
resource yara_rule behavioral1/memory/2416-0-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/1708-10-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/files/0x00090000000120f8-7.dat upx behavioral1/memory/2416-27-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/1708-34-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/1708-39-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/1708-43-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/1708-48-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/1708-52-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/1708-57-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/1708-61-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/1708-66-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/1708-70-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/1708-75-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/1708-79-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/1708-84-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/1708-88-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/1708-92-0x0000000000400000-0x0000000000433000-memory.dmp upx -
Enumerates connected drives 3 TTPs 42 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\w: 66b9ae16c073bbb3ab2389e72318cf1b_JaffaCakes118.exe File opened (read-only) \??\i: explorer.exe File opened (read-only) \??\k: explorer.exe File opened (read-only) \??\u: explorer.exe File opened (read-only) \??\j: 66b9ae16c073bbb3ab2389e72318cf1b_JaffaCakes118.exe File opened (read-only) \??\l: 66b9ae16c073bbb3ab2389e72318cf1b_JaffaCakes118.exe File opened (read-only) \??\m: 66b9ae16c073bbb3ab2389e72318cf1b_JaffaCakes118.exe File opened (read-only) \??\n: 66b9ae16c073bbb3ab2389e72318cf1b_JaffaCakes118.exe File opened (read-only) \??\y: explorer.exe File opened (read-only) \??\e: 66b9ae16c073bbb3ab2389e72318cf1b_JaffaCakes118.exe File opened (read-only) \??\y: 66b9ae16c073bbb3ab2389e72318cf1b_JaffaCakes118.exe File opened (read-only) \??\s: explorer.exe File opened (read-only) \??\q: 66b9ae16c073bbb3ab2389e72318cf1b_JaffaCakes118.exe File opened (read-only) \??\z: explorer.exe File opened (read-only) \??\h: 66b9ae16c073bbb3ab2389e72318cf1b_JaffaCakes118.exe File opened (read-only) \??\k: 66b9ae16c073bbb3ab2389e72318cf1b_JaffaCakes118.exe File opened (read-only) \??\o: 66b9ae16c073bbb3ab2389e72318cf1b_JaffaCakes118.exe File opened (read-only) \??\g: explorer.exe File opened (read-only) \??\p: 66b9ae16c073bbb3ab2389e72318cf1b_JaffaCakes118.exe File opened (read-only) \??\t: 66b9ae16c073bbb3ab2389e72318cf1b_JaffaCakes118.exe File opened (read-only) \??\m: explorer.exe File opened (read-only) \??\r: explorer.exe File opened (read-only) \??\p: explorer.exe File opened (read-only) \??\x: explorer.exe File opened (read-only) \??\v: 66b9ae16c073bbb3ab2389e72318cf1b_JaffaCakes118.exe File opened (read-only) \??\z: 66b9ae16c073bbb3ab2389e72318cf1b_JaffaCakes118.exe File opened (read-only) \??\l: explorer.exe File opened (read-only) \??\n: explorer.exe File opened (read-only) \??\u: 66b9ae16c073bbb3ab2389e72318cf1b_JaffaCakes118.exe File opened (read-only) \??\h: explorer.exe File opened (read-only) \??\o: explorer.exe File opened (read-only) \??\x: 66b9ae16c073bbb3ab2389e72318cf1b_JaffaCakes118.exe File opened (read-only) \??\e: explorer.exe File opened (read-only) \??\j: explorer.exe File opened (read-only) \??\q: explorer.exe File opened (read-only) \??\g: 66b9ae16c073bbb3ab2389e72318cf1b_JaffaCakes118.exe File opened (read-only) \??\i: 66b9ae16c073bbb3ab2389e72318cf1b_JaffaCakes118.exe File opened (read-only) \??\r: 66b9ae16c073bbb3ab2389e72318cf1b_JaffaCakes118.exe File opened (read-only) \??\s: 66b9ae16c073bbb3ab2389e72318cf1b_JaffaCakes118.exe File opened (read-only) \??\t: explorer.exe File opened (read-only) \??\v: explorer.exe File opened (read-only) \??\w: explorer.exe -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe 66b9ae16c073bbb3ab2389e72318cf1b_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe 66b9ae16c073bbb3ab2389e72318cf1b_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Common Files\uiui8.dll explorer.exe File created C:\Program Files (x86)\Common Files\uiui8.dll explorer.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe explorer.exe File opened for modification C:\Program Files (x86)\Common Files explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2416 66b9ae16c073bbb3ab2389e72318cf1b_JaffaCakes118.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1708 explorer.exe Token: SeDebugPrivilege 1708 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1708 explorer.exe 1708 explorer.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2416 wrote to memory of 1708 2416 66b9ae16c073bbb3ab2389e72318cf1b_JaffaCakes118.exe 30 PID 2416 wrote to memory of 1708 2416 66b9ae16c073bbb3ab2389e72318cf1b_JaffaCakes118.exe 30 PID 2416 wrote to memory of 1708 2416 66b9ae16c073bbb3ab2389e72318cf1b_JaffaCakes118.exe 30 PID 2416 wrote to memory of 1708 2416 66b9ae16c073bbb3ab2389e72318cf1b_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\66b9ae16c073bbb3ab2389e72318cf1b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\66b9ae16c073bbb3ab2389e72318cf1b_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe"C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Event Triggered Execution: Image File Execution Options Injection
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1708
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Privilege Escalation
Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD566b9ae16c073bbb3ab2389e72318cf1b
SHA1e50ceab851ed8a4a4bcaaa0f3a53cedcd8bc8485
SHA256b092c0173e46fe385eb002a0faf1bfb6432194ded5de8d3ca99ff9ec19fbca8a
SHA512cb9344e01e782000314689dbcee5dbd55da0ee70e274590831101f4ce4a7498f36d23dfe4be0b50eb7f09d64e9d7a3aba3c105596830dda917c82cf1938431af
-
Filesize
449B
MD5ae342318b288719168082ba3f26d8e33
SHA10464e616edc87b677de3e514a5e5baf696ac92ec
SHA256331939a00efce9cab0dc7e690b7be7de0e3d2378f7ea48640bc80ead177332ec
SHA5122e7d224df58bdc39395208fae51726c6d7eff76752c1fdc746da3294b159c1b6fbc9440354ff935c41b2d18d6734cfcc6c18fb726b78fc7d73d870a32cebda34
-
Filesize
17KB
MD50cbc6b0568209d4ed0a0ff71db4fd13c
SHA18a7166784536e6ebe718d82667d2314c42938387
SHA256d52d74da5230180634f0459f228202dc876c1c2a5661badd170f8308061f1a60
SHA5124494eb6b4a1363b06b25bcf3504517279dbf99bc35ffc95d98e5f55804148ed1fbc68e99295fbc2971abb6f58d945e0e8d0f17e0e7f7bf9aa746486a580fc343