phorphiex | 654a7085e77f0d09d8670c6c5ead85d9c59f8205f4e2e2cfa2f5002fec62fc52

General

Target

774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.exe
Size

23.2MB
MD5

774c8da38e2508dd73b56b33c3bea62b
SHA1

4d118194ed4b9ebcad837f9dcbb4c2c6d7d75039
SHA256

654a7085e77f0d09d8670c6c5ead85d9c59f8205f4e2e2cfa2f5002fec62fc52
SHA512

15064d605d7c4e7184aeba2d443f821629a5fa0113dc5e4203ca97864df954d1bcff1992abddba86f517479bfbc4ffa2df7ffa3432b13e7dfa9ba1a8a9c6b0d4
SSDEEP

393216:uqzoRzWy1upx+2foBNNWLlss+UCAMrhU5XCXxv8jydfZxzuZTJKTq57rPGkET1yI:Dmup2LNiy42hSCXxSypZxqfPz3ET1rR

Score

10^/10

phorphiex discovery evasion execution loader persistence trojan worm

Malware Config

Extracted

Family

phorphiex

C2

http://185.215.113.66/

http://77.91.77.92/

http://91.202.233.141/

Wallets

0xAa3ea4838e8E3F6a1922c6B67E3cD6efD1ff175b

THRUoPK7oYqF7YyKZJvPYwTH35JsPZVPto

1Hw9tx4KyTq4oRoLVhPb4hjDJcLhEa4Tn6

qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut

XtxFdsKkRN3oVDXtN2ipcHeNi87basT2sL

LXMNcn9D8FQKzGNLjdSyR9dEM8Rsh9NzyX

rwn7tb5KQjXEjH42GgdHWHec5PPhVgqhSH

ARML6g7zynrwUHJbFJCCzMPiysUFXYBGgQ

48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg

3PL7YCa4akNYzuScqQwiSbtTP9q9E9PLreC

3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3

D9AJWrbYsidS9rAU146ifLRu1fzX9oQYSH

t1gvVWHnjbGTsoWXEyoTFojc2GqEzBgvbEn

bnb1cgttf7t5hu7ud3c436ufhcmy59qnkd09adqczd

bc1q0fusmmgycnhsd5cadsuz2hk8d4maausjfjypqg

bitcoincash:qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut

GAUCC7ZBSU2KJMHXOZD6AP5LOBGKNDPCDNRYP2CO2ACR63YCSUBNT5QE

Attributes

mutex
tre5eer
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36

Signatures

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

sysarddrvs.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" sysarddrvs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	sysarddrvs.exe

Phorphiex payload 2 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\CF60.exe	family_phorphiex
\Users\Admin\AppData\Local\Temp\92486825.exe	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

sylsplvc.exesysarddrvs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sylsplvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sylsplvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sylsplvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sylsplvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sylsplvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sylsplvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysarddrvs.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2796 powershell.exe
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

pid	process
2796	powershell.exe

Executes dropped EXE 8 IoCs

Processes:

CF60.exe774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.tmpsylsplvc.exeGARunOnce.exe92486825.exesysarddrvs.exe2324231330.exe463312215.exe

pid	process
2792	CF60.exe
3056	774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.tmp
2628	sylsplvc.exe
2720	GARunOnce.exe
1896	92486825.exe
1832	sysarddrvs.exe
1864	2324231330.exe
1248	463312215.exe

Loads dropped DLL 14 IoCs

Processes:

774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.exe774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.tmpGARunOnce.exesylsplvc.exesysarddrvs.exe

pid	process
2068	774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.exe
2068	774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.exe
2068	774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.exe
3056	774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.tmp
3056	774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.tmp
3056	774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.tmp
3056	774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.tmp
2720	GARunOnce.exe
2720	GARunOnce.exe
2628	sylsplvc.exe
2628	sylsplvc.exe
2628	sylsplvc.exe
1832	sysarddrvs.exe
1832	sysarddrvs.exe

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

sylsplvc.exesysarddrvs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sylsplvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sylsplvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sylsplvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sylsplvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sylsplvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sylsplvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sylsplvc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

CF60.exe92486825.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sylsplvc.exe"	CF60.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysarddrvs.exe"	92486825.exe

Drops file in Windows directory 4 IoCs

Processes:

CF60.exe92486825.exe

description	ioc	process
File created	C:\Windows\sylsplvc.exe	CF60.exe
File opened for modification	C:\Windows\sylsplvc.exe	CF60.exe
File created	C:\Windows\sysarddrvs.exe	92486825.exe
File opened for modification	C:\Windows\sysarddrvs.exe	92486825.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

2772 sc.exe
2836 sc.exe
2356 sc.exe
1600 sc.exe
2684 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2772	sc.exe
2836	sc.exe
2356	sc.exe
1600	sc.exe
2684	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

sc.exe774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.tmpcmd.exesc.exe92486825.exesylsplvc.exesysarddrvs.execmd.exepowershell.exeGARunOnce.exeCF60.exesc.exesc.exesc.exe774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	92486825.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sylsplvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysarddrvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GARunOnce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CF60.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2796 powershell.exe
Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

sysarddrvs.exe

pid process

1832 sysarddrvs.exe

pid	process
2796	powershell.exe

pid	process
1832	sysarddrvs.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

GARunOnce.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2720	GARunOnce.exe
Token: SeAuditPrivilege	2720	GARunOnce.exe
Token: SeSecurityPrivilege	2720	GARunOnce.exe
Token: SeTakeOwnershipPrivilege	2720	GARunOnce.exe
Token: SeManageVolumePrivilege	2720	GARunOnce.exe
Token: SeRestorePrivilege	2720	GARunOnce.exe
Token: SeBackupPrivilege	2720	GARunOnce.exe
Token: SeLoadDriverPrivilege	2720	GARunOnce.exe
Token: SeSystemEnvironmentPrivilege	2720	GARunOnce.exe
Token: SeDebugPrivilege	2796	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.exeCF60.exe774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.tmpsylsplvc.exe92486825.exesysarddrvs.execmd.execmd.exe

description	pid	process	target process
PID 2068 wrote to memory of 2792	2068	774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.exe	CF60.exe
PID 2068 wrote to memory of 2792	2068	774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.exe	CF60.exe
PID 2068 wrote to memory of 2792	2068	774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.exe	CF60.exe
PID 2068 wrote to memory of 2792	2068	774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.exe	CF60.exe
PID 2068 wrote to memory of 3056	2068	774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.exe	774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.tmp
PID 2068 wrote to memory of 3056	2068	774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.exe	774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.tmp
PID 2068 wrote to memory of 3056	2068	774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.exe	774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.tmp
PID 2068 wrote to memory of 3056	2068	774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.exe	774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.tmp
PID 2068 wrote to memory of 3056	2068	774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.exe	774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.tmp
PID 2068 wrote to memory of 3056	2068	774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.exe	774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.tmp
PID 2068 wrote to memory of 3056	2068	774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.exe	774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.tmp
PID 2792 wrote to memory of 2628	2792	CF60.exe	sylsplvc.exe
PID 2792 wrote to memory of 2628	2792	CF60.exe	sylsplvc.exe
PID 2792 wrote to memory of 2628	2792	CF60.exe	sylsplvc.exe
PID 2792 wrote to memory of 2628	2792	CF60.exe	sylsplvc.exe
PID 3056 wrote to memory of 2720	3056	774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.tmp	GARunOnce.exe
PID 3056 wrote to memory of 2720	3056	774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.tmp	GARunOnce.exe
PID 3056 wrote to memory of 2720	3056	774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.tmp	GARunOnce.exe
PID 3056 wrote to memory of 2720	3056	774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.tmp	GARunOnce.exe
PID 2628 wrote to memory of 1896	2628	sylsplvc.exe	92486825.exe
PID 2628 wrote to memory of 1896	2628	sylsplvc.exe	92486825.exe
PID 2628 wrote to memory of 1896	2628	sylsplvc.exe	92486825.exe
PID 2628 wrote to memory of 1896	2628	sylsplvc.exe	92486825.exe
PID 1896 wrote to memory of 1832	1896	92486825.exe	sysarddrvs.exe
PID 1896 wrote to memory of 1832	1896	92486825.exe	sysarddrvs.exe
PID 1896 wrote to memory of 1832	1896	92486825.exe	sysarddrvs.exe
PID 1896 wrote to memory of 1832	1896	92486825.exe	sysarddrvs.exe
PID 1832 wrote to memory of 1764	1832	sysarddrvs.exe	cmd.exe
PID 1832 wrote to memory of 1764	1832	sysarddrvs.exe	cmd.exe
PID 1832 wrote to memory of 1764	1832	sysarddrvs.exe	cmd.exe
PID 1832 wrote to memory of 1764	1832	sysarddrvs.exe	cmd.exe
PID 1832 wrote to memory of 1356	1832	sysarddrvs.exe	cmd.exe
PID 1832 wrote to memory of 1356	1832	sysarddrvs.exe	cmd.exe
PID 1832 wrote to memory of 1356	1832	sysarddrvs.exe	cmd.exe
PID 1832 wrote to memory of 1356	1832	sysarddrvs.exe	cmd.exe
PID 1764 wrote to memory of 2796	1764	cmd.exe	powershell.exe
PID 1764 wrote to memory of 2796	1764	cmd.exe	powershell.exe
PID 1764 wrote to memory of 2796	1764	cmd.exe	powershell.exe
PID 1764 wrote to memory of 2796	1764	cmd.exe	powershell.exe
PID 1356 wrote to memory of 2772	1356	cmd.exe	sc.exe
PID 1356 wrote to memory of 2772	1356	cmd.exe	sc.exe
PID 1356 wrote to memory of 2772	1356	cmd.exe	sc.exe
PID 1356 wrote to memory of 2772	1356	cmd.exe	sc.exe
PID 1356 wrote to memory of 2836	1356	cmd.exe	sc.exe
PID 1356 wrote to memory of 2836	1356	cmd.exe	sc.exe
PID 1356 wrote to memory of 2836	1356	cmd.exe	sc.exe
PID 1356 wrote to memory of 2836	1356	cmd.exe	sc.exe
PID 1356 wrote to memory of 2356	1356	cmd.exe	sc.exe
PID 1356 wrote to memory of 2356	1356	cmd.exe	sc.exe
PID 1356 wrote to memory of 2356	1356	cmd.exe	sc.exe
PID 1356 wrote to memory of 2356	1356	cmd.exe	sc.exe
PID 1356 wrote to memory of 1600	1356	cmd.exe	sc.exe
PID 1356 wrote to memory of 1600	1356	cmd.exe	sc.exe
PID 1356 wrote to memory of 1600	1356	cmd.exe	sc.exe
PID 1356 wrote to memory of 1600	1356	cmd.exe	sc.exe
PID 1356 wrote to memory of 2684	1356	cmd.exe	sc.exe
PID 1356 wrote to memory of 2684	1356	cmd.exe	sc.exe
PID 1356 wrote to memory of 2684	1356	cmd.exe	sc.exe
PID 1356 wrote to memory of 2684	1356	cmd.exe	sc.exe
PID 2628 wrote to memory of 1864	2628	sylsplvc.exe	2324231330.exe
PID 2628 wrote to memory of 1864	2628	sylsplvc.exe	2324231330.exe
PID 2628 wrote to memory of 1864	2628	sylsplvc.exe	2324231330.exe
PID 2628 wrote to memory of 1864	2628	sylsplvc.exe	2324231330.exe
PID 1832 wrote to memory of 1248	1832	sysarddrvs.exe	463312215.exe

C:\Users\Admin\AppData\Local\Temp\774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Local\Temp\CF60.exe
  "C:\Users\Admin\AppData\Local\Temp\CF60.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\sylsplvc.exe
    C:\Windows\sylsplvc.exe
    3⤵
    - Windows security bypass
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Users\Admin\AppData\Local\Temp\92486825.exe
      C:\Users\Admin\AppData\Local\Temp\92486825.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1896
    - - C:\Windows\sysarddrvs.exe
        
        C:\Windows\sysarddrvs.exe
        5⤵
        Modifies security service
        Windows security bypass
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        System Location Discovery: System Language Discovery
        Suspicious behavior: SetClipboardViewer
        Suspicious use of WriteProcessMemory
        
        PID:1832
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2684
      - C:\Users\Admin\AppData\Local\Temp\463312215.exe
        
        C:\Users\Admin\AppData\Local\Temp\463312215.exe
        6⤵
        Executes dropped EXE
        
        PID:1248
  - - C:\Users\Admin\AppData\Local\Temp\2324231330.exe
      C:\Users\Admin\AppData\Local\Temp\2324231330.exe
      4⤵
      Executes dropped EXE
      PID:1864
- C:\Users\Admin\AppData\Local\Temp\is-CCOOI.tmp\774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-CCOOI.tmp\774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.tmp" /SL5="$601B0,23808793,140800,C:\Users\Admin\AppData\Local\Temp\774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Users\Admin\AppData\Local\Temp\is-VL2CE.tmp\GARunOnce.exe
    "C:\Users\Admin\AppData\Local\Temp\is-VL2CE.tmp\GARunOnce.exe" RunInstall|1|C:\Users\Admin\AppData\Local\Temp\is-VL2CE.tmp|std|aomei|pa|en
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

3

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-VL2CE.tmp\PartAssist.exe

Filesize
8.0MB

MD5
f2b1cd6484072ebc2e7e2edb5634e7c5

SHA1
5742c16f3177c88850e0a00186ce2f88875fc827

SHA256
963086b6cf5725d0749edda5d2cae4d29f617b89dc11ba8a8f0c04647fdef046

SHA512
c8192b8863d9d8ddd663a3e613c2fb4c7bf6a0fbdbc3ab3146b4935798b51c6268fb6dddde83c69749d5ea082843d31c4737ce9b0325fcd5a76e0b9d6b41ceb2

Download Submit
\Users\Admin\AppData\Local\Temp\2324231330.exe

Filesize
11KB

MD5
cafd277c4132f5d0f202e7ea07a27d5c

SHA1
72c8c16a94cce56a3e01d91bc1276dafc65b351d

SHA256
e5162fa594811f0f01fc76f4acbd9fe99b2265df9cfcbc346023f28775c19f1e

SHA512
7c87d1dec61b78e0f223e8f9fec019d96509813fa6d96129289aab00b2d6f05bf91fe1fafd680b7d9e746f4c2c8cbe48a3028bcaad479048d00d79a19f71b196

Download Submit
\Users\Admin\AppData\Local\Temp\92486825.exe

Filesize
79KB

MD5
a7f8236eb39605d51964bf50fd015332

SHA1
c627b0f52fa94bfefa7a7d17056f82f00737876c

SHA256
1b5b8d4000174658b280d11ce9143d60ac3db44b9885f35545c3b6c9aeb5ac13

SHA512
d4095d868abe76bf9b1f827a7a41ea9b4ea375e21ac68193927c1e82e60a8cdbc4fcd89b66aff883544bb8eec5f6e5542b7f732f605e22ce1822072908145442

Download Submit
\Users\Admin\AppData\Local\Temp\CF60.exe

Filesize
79KB

MD5
1e8a2ed2e3f35620fb6b8c2a782a57f3

SHA1
e924ce6d147ecc8b30b7c7cad02e5c9ae09a743a

SHA256
3f16f4550826076b2c8cd7b392ee649aeb06740328658a2d30c3d2002c6b7879

SHA512
ce4dc7fdd7f81a7a127d650f9175292b287b4803d815d74b64a4e5125cff66224d75e7ecade1d9c0e42f870bdb49a78e9613b1a49675ab5bc098611b99b49ade

Download Submit
\Users\Admin\AppData\Local\Temp\is-CCOOI.tmp\774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.tmp

Filesize
1.4MB

MD5
d50a6bdcf37d093fc472fcbb6489069a

SHA1
d3f5d6892e4ce3018f8cf441021ace1d9a5b8732

SHA256
4252ef0ec82de8b6634f1b873cbd0a73193bd64dd49cf36f598940817835e10e

SHA512
8304e0211c2f6c96c3d5836175146a6f66a4deba32678e4da6df1715086c19ff6906f48621c472be0247ebd7f18851fc63f72d0657c6b686e1ae9d616c088a4e

Download Submit
\Users\Admin\AppData\Local\Temp\is-VL2CE.tmp\GARunOnce.exe

Filesize
181KB

MD5
89ffb996d7a0bb9301bf4bb5599ec887

SHA1
5253dfdaae7f157a773fa1e445cdf6740a9fc014

SHA256
27aa98f58990d028dd6d3c80065ea387dae3cdff9daee5c703ff347e791ee2e8

SHA512
9acf5d5827a4de324b7a41ab89f608317c3c496ad6f45710dac9611364fbc943612c5ef706ceeab05b6b49cd8e16da89331671ac3525978c4d5dee8cfc550be7

Download Submit
\Users\Admin\AppData\Local\Temp\is-VL2CE.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/2068-56-0x0000000000400000-0x000000000042DDA0-memory.dmp

Filesize
183KB

Download
memory/2068-13-0x0000000000400000-0x000000000042DDA0-memory.dmp

Filesize
183KB

Download
memory/2068-84-0x0000000000400000-0x000000000042DDA0-memory.dmp

Filesize
183KB

Download
memory/2068-11-0x0000000000400000-0x000000000042DDA0-memory.dmp

Filesize
183KB

Download
memory/3056-19-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/3056-58-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/3056-82-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads