Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
01-08-2024 03:09
Static task
static1
Behavioral task
behavioral1
Sample
7ef58fae6597873eb9ddc200749efb54_JaffaCakes118.exe
Resource
win7-20240705-en
General
-
Target
7ef58fae6597873eb9ddc200749efb54_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
7ef58fae6597873eb9ddc200749efb54
-
SHA1
01b74eb79082d0465ab8654b6a71c8570ac8743a
-
SHA256
046af6ee479e05559a9830dc541785559e7a006cc1761c1f9f6acd6b9fbef0e9
-
SHA512
97bcd602af86fdab80368e376712739dc96535026b77b87b6ff5e5f53796c0f39f6ec33954b8655aff64b8ca3bf7faa7e666f8aa5790d8a974c8ca408d0be14f
-
SSDEEP
24576:4DTCwXMdaEkx9Tod/Z/Va9nVFMG17y+g3LZjQsW2l9r/ArJf4q0/9xAN6:L4E0odR/SnVKaux3LZssW2lF4Ff43s6
Malware Config
Signatures
-
DarkTrack payload 7 IoCs
resource yara_rule behavioral2/files/0x00080000000234a0-36.dat family_darktrack behavioral2/memory/2208-50-0x0000000000400000-0x00000000004A8000-memory.dmp family_darktrack behavioral2/memory/4344-113-0x0000000000400000-0x0000000000600000-memory.dmp family_darktrack behavioral2/memory/3488-124-0x0000000000400000-0x00000000004A8000-memory.dmp family_darktrack behavioral2/memory/5016-127-0x0000000000400000-0x0000000000600000-memory.dmp family_darktrack behavioral2/memory/4024-138-0x0000000000400000-0x00000000004A8000-memory.dmp family_darktrack behavioral2/memory/5100-153-0x0000000000400000-0x00000000004A8000-memory.dmp family_darktrack -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\WindowsShellHelper.exe" WindowsSeverHelper.pif -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 5052 netsh.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2951562807-3718269429-4208157415-1000\Control Panel\International\Geo\Nation WindowsShellHelper.exe Key value queried \REGISTRY\USER\S-1-5-21-2951562807-3718269429-4208157415-1000\Control Panel\International\Geo\Nation GOOGLESERVERHELPER.EXE Key value queried \REGISTRY\USER\S-1-5-21-2951562807-3718269429-4208157415-1000\Control Panel\International\Geo\Nation 7ef58fae6597873eb9ddc200749efb54_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2951562807-3718269429-4208157415-1000\Control Panel\International\Geo\Nation WindowsSeverHelper.pif Key value queried \REGISTRY\USER\S-1-5-21-2951562807-3718269429-4208157415-1000\Control Panel\International\Geo\Nation RUNTIME BROKER.EXE -
Executes dropped EXE 13 IoCs
pid Process 4344 WindowsSeverHelper.pif 4348 CIOUD.EXE 4800 GOOGLESERVERHELPER.EXE 2208 RUNTIME BROKER.EXE 5100 Runtime Broker.exe 5016 WindowsShellHelper.exe 4272 CIOUD.EXE 2184 GOOGLESERVERHELPER.EXE 3488 RUNTIME BROKER.EXE 4008 CIOUD.EXE 4056 GOOGLESERVERHELPER.EXE 4024 RUNTIME BROKER.EXE 2064 GoogleServerHelper.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2951562807-3718269429-4208157415-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsSeverHelper = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\WindowsShellHelper.exe" WindowsSeverHelper.pif Set value (str) \REGISTRY\USER\S-1-5-21-2951562807-3718269429-4208157415-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Broker.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Runtime Broker.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2951562807-3718269429-4208157415-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsSeverHelper = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\WindowsShellHelper.exe" WindowsShellHelper.exe Set value (str) \REGISTRY\USER\S-1-5-21-2951562807-3718269429-4208157415-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsSeverHelper = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\WindowsShellHelper.exe" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UDP Host = "C:\\Program Files (x86)\\UDP Host\\udphost.exe" CIOUD.EXE -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA CIOUD.EXE -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5016 set thread context of 1692 5016 WindowsShellHelper.exe 103 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\UDP Host\udphost.exe CIOUD.EXE File opened for modification C:\Program Files (x86)\UDP Host\udphost.exe CIOUD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 19 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RUNTIME BROKER.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RUNTIME BROKER.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GOOGLESERVERHELPER.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GOOGLESERVERHELPER.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RUNTIME BROKER.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Runtime Broker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CIOUD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CIOUD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GOOGLESERVERHELPER.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WindowsShellHelper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CIOUD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoogleServerHelper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ef58fae6597873eb9ddc200749efb54_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WindowsSeverHelper.pif -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1120 PING.EXE -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2951562807-3718269429-4208157415-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WindowsSeverHelper.pif -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1120 PING.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4348 CIOUD.EXE 4348 CIOUD.EXE 4348 CIOUD.EXE 4348 CIOUD.EXE 4348 CIOUD.EXE 4348 CIOUD.EXE -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 5100 Runtime Broker.exe 4348 CIOUD.EXE 1692 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4344 WindowsSeverHelper.pif Token: SeSecurityPrivilege 4344 WindowsSeverHelper.pif Token: SeTakeOwnershipPrivilege 4344 WindowsSeverHelper.pif Token: SeLoadDriverPrivilege 4344 WindowsSeverHelper.pif Token: SeSystemProfilePrivilege 4344 WindowsSeverHelper.pif Token: SeSystemtimePrivilege 4344 WindowsSeverHelper.pif Token: SeProfSingleProcessPrivilege 4344 WindowsSeverHelper.pif Token: SeIncBasePriorityPrivilege 4344 WindowsSeverHelper.pif Token: SeCreatePagefilePrivilege 4344 WindowsSeverHelper.pif Token: SeBackupPrivilege 4344 WindowsSeverHelper.pif Token: SeRestorePrivilege 4344 WindowsSeverHelper.pif Token: SeShutdownPrivilege 4344 WindowsSeverHelper.pif Token: SeDebugPrivilege 4344 WindowsSeverHelper.pif Token: SeSystemEnvironmentPrivilege 4344 WindowsSeverHelper.pif Token: SeChangeNotifyPrivilege 4344 WindowsSeverHelper.pif Token: SeRemoteShutdownPrivilege 4344 WindowsSeverHelper.pif Token: SeUndockPrivilege 4344 WindowsSeverHelper.pif Token: SeManageVolumePrivilege 4344 WindowsSeverHelper.pif Token: SeImpersonatePrivilege 4344 WindowsSeverHelper.pif Token: SeCreateGlobalPrivilege 4344 WindowsSeverHelper.pif Token: 33 4344 WindowsSeverHelper.pif Token: 34 4344 WindowsSeverHelper.pif Token: 35 4344 WindowsSeverHelper.pif Token: 36 4344 WindowsSeverHelper.pif Token: SeIncreaseQuotaPrivilege 5016 WindowsShellHelper.exe Token: SeSecurityPrivilege 5016 WindowsShellHelper.exe Token: SeTakeOwnershipPrivilege 5016 WindowsShellHelper.exe Token: SeLoadDriverPrivilege 5016 WindowsShellHelper.exe Token: SeSystemProfilePrivilege 5016 WindowsShellHelper.exe Token: SeSystemtimePrivilege 5016 WindowsShellHelper.exe Token: SeProfSingleProcessPrivilege 5016 WindowsShellHelper.exe Token: SeIncBasePriorityPrivilege 5016 WindowsShellHelper.exe Token: SeCreatePagefilePrivilege 5016 WindowsShellHelper.exe Token: SeBackupPrivilege 5016 WindowsShellHelper.exe Token: SeRestorePrivilege 5016 WindowsShellHelper.exe Token: SeShutdownPrivilege 5016 WindowsShellHelper.exe Token: SeDebugPrivilege 5016 WindowsShellHelper.exe Token: SeSystemEnvironmentPrivilege 5016 WindowsShellHelper.exe Token: SeChangeNotifyPrivilege 5016 WindowsShellHelper.exe Token: SeRemoteShutdownPrivilege 5016 WindowsShellHelper.exe Token: SeUndockPrivilege 5016 WindowsShellHelper.exe Token: SeManageVolumePrivilege 5016 WindowsShellHelper.exe Token: SeImpersonatePrivilege 5016 WindowsShellHelper.exe Token: SeCreateGlobalPrivilege 5016 WindowsShellHelper.exe Token: 33 5016 WindowsShellHelper.exe Token: 34 5016 WindowsShellHelper.exe Token: 35 5016 WindowsShellHelper.exe Token: 36 5016 WindowsShellHelper.exe Token: SeIncreaseQuotaPrivilege 1692 iexplore.exe Token: SeSecurityPrivilege 1692 iexplore.exe Token: SeTakeOwnershipPrivilege 1692 iexplore.exe Token: SeLoadDriverPrivilege 1692 iexplore.exe Token: SeSystemProfilePrivilege 1692 iexplore.exe Token: SeSystemtimePrivilege 1692 iexplore.exe Token: SeProfSingleProcessPrivilege 1692 iexplore.exe Token: SeIncBasePriorityPrivilege 1692 iexplore.exe Token: SeCreatePagefilePrivilege 1692 iexplore.exe Token: SeBackupPrivilege 1692 iexplore.exe Token: SeRestorePrivilege 1692 iexplore.exe Token: SeShutdownPrivilege 1692 iexplore.exe Token: SeDebugPrivilege 1692 iexplore.exe Token: SeSystemEnvironmentPrivilege 1692 iexplore.exe Token: SeChangeNotifyPrivilege 1692 iexplore.exe Token: SeRemoteShutdownPrivilege 1692 iexplore.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2772 wrote to memory of 1864 2772 7ef58fae6597873eb9ddc200749efb54_JaffaCakes118.exe 85 PID 2772 wrote to memory of 1864 2772 7ef58fae6597873eb9ddc200749efb54_JaffaCakes118.exe 85 PID 1864 wrote to memory of 4344 1864 cmd.exe 89 PID 1864 wrote to memory of 4344 1864 cmd.exe 89 PID 1864 wrote to memory of 4344 1864 cmd.exe 89 PID 4344 wrote to memory of 4348 4344 WindowsSeverHelper.pif 90 PID 4344 wrote to memory of 4348 4344 WindowsSeverHelper.pif 90 PID 4344 wrote to memory of 4348 4344 WindowsSeverHelper.pif 90 PID 4344 wrote to memory of 4800 4344 WindowsSeverHelper.pif 91 PID 4344 wrote to memory of 4800 4344 WindowsSeverHelper.pif 91 PID 4344 wrote to memory of 4800 4344 WindowsSeverHelper.pif 91 PID 4344 wrote to memory of 2208 4344 WindowsSeverHelper.pif 92 PID 4344 wrote to memory of 2208 4344 WindowsSeverHelper.pif 92 PID 4344 wrote to memory of 2208 4344 WindowsSeverHelper.pif 92 PID 2208 wrote to memory of 5100 2208 RUNTIME BROKER.EXE 94 PID 2208 wrote to memory of 5100 2208 RUNTIME BROKER.EXE 94 PID 2208 wrote to memory of 5100 2208 RUNTIME BROKER.EXE 94 PID 5100 wrote to memory of 3052 5100 Runtime Broker.exe 95 PID 5100 wrote to memory of 3052 5100 Runtime Broker.exe 95 PID 5100 wrote to memory of 3052 5100 Runtime Broker.exe 95 PID 5100 wrote to memory of 3052 5100 Runtime Broker.exe 95 PID 5100 wrote to memory of 3052 5100 Runtime Broker.exe 95 PID 5100 wrote to memory of 3052 5100 Runtime Broker.exe 95 PID 5100 wrote to memory of 3052 5100 Runtime Broker.exe 95 PID 5100 wrote to memory of 3052 5100 Runtime Broker.exe 95 PID 5100 wrote to memory of 3052 5100 Runtime Broker.exe 95 PID 5100 wrote to memory of 3052 5100 Runtime Broker.exe 95 PID 5100 wrote to memory of 3052 5100 Runtime Broker.exe 95 PID 5100 wrote to memory of 3052 5100 Runtime Broker.exe 95 PID 5100 wrote to memory of 3052 5100 Runtime Broker.exe 95 PID 5100 wrote to memory of 3052 5100 Runtime Broker.exe 95 PID 5100 wrote to memory of 3052 5100 Runtime Broker.exe 95 PID 5100 wrote to memory of 3052 5100 Runtime Broker.exe 95 PID 5100 wrote to memory of 3052 5100 Runtime Broker.exe 95 PID 5100 wrote to memory of 3052 5100 Runtime Broker.exe 95 PID 5100 wrote to memory of 3052 5100 Runtime Broker.exe 95 PID 5100 wrote to memory of 3052 5100 Runtime Broker.exe 95 PID 5100 wrote to memory of 3052 5100 Runtime Broker.exe 95 PID 5100 wrote to memory of 3052 5100 Runtime Broker.exe 95 PID 5100 wrote to memory of 3052 5100 Runtime Broker.exe 95 PID 4344 wrote to memory of 2876 4344 WindowsSeverHelper.pif 96 PID 4344 wrote to memory of 2876 4344 WindowsSeverHelper.pif 96 PID 4344 wrote to memory of 2876 4344 WindowsSeverHelper.pif 96 PID 2876 wrote to memory of 1120 2876 cmd.exe 98 PID 2876 wrote to memory of 1120 2876 cmd.exe 98 PID 2876 wrote to memory of 1120 2876 cmd.exe 98 PID 4344 wrote to memory of 5016 4344 WindowsSeverHelper.pif 99 PID 4344 wrote to memory of 5016 4344 WindowsSeverHelper.pif 99 PID 4344 wrote to memory of 5016 4344 WindowsSeverHelper.pif 99 PID 5016 wrote to memory of 4272 5016 WindowsShellHelper.exe 100 PID 5016 wrote to memory of 4272 5016 WindowsShellHelper.exe 100 PID 5016 wrote to memory of 4272 5016 WindowsShellHelper.exe 100 PID 5016 wrote to memory of 2184 5016 WindowsShellHelper.exe 101 PID 5016 wrote to memory of 2184 5016 WindowsShellHelper.exe 101 PID 5016 wrote to memory of 2184 5016 WindowsShellHelper.exe 101 PID 5016 wrote to memory of 3488 5016 WindowsShellHelper.exe 102 PID 5016 wrote to memory of 3488 5016 WindowsShellHelper.exe 102 PID 5016 wrote to memory of 3488 5016 WindowsShellHelper.exe 102 PID 5016 wrote to memory of 1692 5016 WindowsShellHelper.exe 103 PID 5016 wrote to memory of 1692 5016 WindowsShellHelper.exe 103 PID 5016 wrote to memory of 1692 5016 WindowsShellHelper.exe 103 PID 5016 wrote to memory of 1692 5016 WindowsShellHelper.exe 103 PID 5016 wrote to memory of 1692 5016 WindowsShellHelper.exe 103 PID 1692 wrote to memory of 4008 1692 iexplore.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ef58fae6597873eb9ddc200749efb54_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7ef58fae6597873eb9ddc200749efb54_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\BCC8.tmp\BCC9.bat C:\Users\Admin\AppData\Local\Temp\7ef58fae6597873eb9ddc200749efb54_JaffaCakes118.exe"2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Users\Admin\AppData\Local\Temp\BCC8.tmp\WindowsSeverHelper.pifWindowsSeverHelper.pif3⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Users\Admin\AppData\Local\Temp\CIOUD.EXE"C:\Users\Admin\AppData\Local\Temp\CIOUD.EXE"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:4348
-
-
C:\Users\Admin\AppData\Local\Temp\GOOGLESERVERHELPER.EXE"C:\Users\Admin\AppData\Local\Temp\GOOGLESERVERHELPER.EXE"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4800 -
C:\Users\Admin\AppData\Roaming\GoogleServerHelper.exe"C:\Users\Admin\AppData\Roaming\GoogleServerHelper.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2064 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\GoogleServerHelper.exe" "GoogleServerHelper.exe" ENABLE6⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:5052
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RUNTIME BROKER.EXE"C:\Users\Admin\AppData\Local\Temp\RUNTIME BROKER.EXE"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\notepad.exenotepad6⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3052
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 55⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1120
-
-
-
C:\Users\Admin\AppData\Roaming\MSDCSC\WindowsShellHelper.exe"C:\Users\Admin\AppData\Roaming\MSDCSC\WindowsShellHelper.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Users\Admin\AppData\Local\Temp\CIOUD.EXE"C:\Users\Admin\AppData\Local\Temp\CIOUD.EXE"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4272
-
-
C:\Users\Admin\AppData\Local\Temp\GOOGLESERVERHELPER.EXE"C:\Users\Admin\AppData\Local\Temp\GOOGLESERVERHELPER.EXE"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2184
-
-
C:\Users\Admin\AppData\Local\Temp\RUNTIME BROKER.EXE"C:\Users\Admin\AppData\Local\Temp\RUNTIME BROKER.EXE"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3488
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"5⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Users\Admin\AppData\Local\Temp\CIOUD.EXE"C:\Users\Admin\AppData\Local\Temp\CIOUD.EXE"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4008
-
-
C:\Users\Admin\AppData\Local\Temp\GOOGLESERVERHELPER.EXE"C:\Users\Admin\AppData\Local\Temp\GOOGLESERVERHELPER.EXE"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4056
-
-
C:\Users\Admin\AppData\Local\Temp\RUNTIME BROKER.EXE"C:\Users\Admin\AppData\Local\Temp\RUNTIME BROKER.EXE"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4024
-
-
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1628
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
496B
MD55b4789d01bb4d7483b71e1a35bce6a8b
SHA1de083f2131c9a763c0d1810c97a38732146cffbf
SHA256e248cef9500ed6e0c9f99d72a2a6a36955a5f0cfc0725748ef25a733cc8282f6
SHA512357e18ef30430e4b9cc4f2569b9735b1cd12f934c83162e4de78ac29ba9703b63ddb624ccc22afd5a5868f6e9d91a3c64581846abac22e9625f5b2e3d80b3ede
-
Filesize
319B
MD591046f2e147049d3e53cd9bf9d4d95ed
SHA1228e347d062840b2edcbd16904475aacad414c62
SHA256ea92f8291b86440b98162409b1f9f04470455c22be01a1480ea5ebc37eb168dc
SHA512071a9c6e17760a726c3a4519cf8006f36f17f50946af0129e0e1f3e480f6b7fcc804a7614b044247f2420a8b2b46bec5b8493e4869bb918bc7c0f6aa1346c3e0
-
Filesize
48B
MD555b802862d9eaffe7b7fb6eeae66d729
SHA1b014e037b3849cf206bdd4d2910e9a1803dfe5e0
SHA2561491837dd6978e9323d1f2e7b3bcb6da5e7eb5373245ec569a8f2624ede90ba0
SHA51290f86153716997025a105d64286e2ad6c8ea06951278def6d8f39b76518e966c3ac62e45f986bf4ad9cf3d11264f0ecbe65c42f78cb3fb9096b25a36a341001c
-
Filesize
33B
MD58a018ca11acfbd81dc4b301fbbcd58d5
SHA1c8e8f856dd9f2c1b904df66c183e3674625b28f4
SHA256b5823db59fcf22262591aecb537ad79764a62925b7ed409615d0cb8d7b37272d
SHA512b7e9f1b6c668f2e6aede983d485979cbed363d15fcf135af9fa8fd949483f3410b17ce383006dfad43243cc884da9b3fcadbfc60a872901e3f1e6e0889f6f028
-
Filesize
221KB
MD57172a8eae4d545316d8d707e0df02632
SHA149e921f5b8d89c2b4b0017f2920dbdbfd1a55c72
SHA25610556edc1a886af540632f6c9b9bbaf3d263e1cd975b1f67d571faf5c67cf950
SHA5120bb6d1769c5670f1e41659f3e934acb4682d1abd03926caddd858baf8db3f2773e5e66a9a749ee109d4599363fa78cc24c006e2f9ff07c7cdb6762ecac733c99
-
Filesize
1.0MB
MD55aa470a6aefd43f2bb371c6d4ff0e81c
SHA11ff99e88b23fe31798176d7de1dc0fab8891bed8
SHA2564070967cb1326a2685821810479dd8b2c5c3db8c2de1177a5ae42edd7263ac69
SHA51269fa0cf4e2fe5b98b696b50bd9fc429036a01d54b66bd707ddf550fa7003950874c8ea1dc2fbcc7f3f023ef6a44d0f727b59f3a393a199c68910cfc5c876d655
-
Filesize
595KB
MD5890e94388a40a56ef27d6d1d94b72290
SHA1310a196df36bd06ab6660daaf7bdfd6f2aa6b403
SHA256da403e7a6dd93e9357f6fa630a4b2edcc1558174802cad90330365db79d223fc
SHA51253d4914ef2e1c4395e63891d7aec07f5c11dbb1e0a1599adfabbc306a5c17d796c1fc8d290bf4b5e2b0d9b0f99924f0257c045dab13cf4092525a38ff501f754
-
Filesize
33KB
MD503a9d8b71175a13df468482dd8c28f70
SHA1bc1b0a9973274d4281b81657cb9e8b65466a58fe
SHA2567804b4f4792567cef30f25bf4c2c9d8248c283f46412e24f6896f25968788d75
SHA512f91bd85c80af299691921068a9dcc8de5af5911be2405276b00f05e0aa9a00fb27d9c56d9b22c4960d11b846cb1879218c38b740f42266ddaebc2a51ff74709a
-
Filesize
627KB
MD5f6c8aff612013d1b6cf238f51b0fee1c
SHA18bef1fe8cafd7c99289f8ed666116a454af825be
SHA256847cd3461fd87a7d4b3c9c221ebadaedd03838fd9b4c618f0684436473a8d51d
SHA512a49390f3de6a17e18a1bd1541b0f49f4b3ff0bb187f1d13dead813549b6558cec3e8a3959c45df828a1bc0004593aa78797c123c8abfe5715ca28b49c857e816
-
Filesize
94B
MD527e006d678ffe5ce2ad37649ff333b49
SHA1a5654ed2b5fa772aab6daae7fd3f53b65ad5c187
SHA256dd3291b12b6ae3a3a4a72e033dfd249da18049138e72f41743c307762f2dd9c4
SHA512f6cb88b1f858cbcabb9965a6b4b066da65a434a0342d7b7a5b89bc0f107b76356202d67aac54ffadb084a4b6d67562320a287d32d9b4019d336d38e0ae8ad7ac